← Advisories

Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution

Critical
Advisory ID
ZSL-2020-5565
Release Date
24 April 2020
Vendor
Furukawa Electric Co., Ltd. - https://www.furukawa.co.jp, Tecnored SA - https://www.tecnoredsa.com.ar
Affected Version
2.8.1, 2.7.10, 2.6.4, 2.3.1, 2.1.49, 2.1.36, 2.1.31, 2.1.18, 2.1.16, 2.1.15, 2.1.1, 2.0.1174, 1.8, 1.4.70
CVE
CVE-2020-12133
Tested On
Apache Tomcat/7.0.68, Apache Tomcat/7.0.52, Apache MyFaces/2.2.1, Apache MyFaces/2.1.17, Apache MyFaces/2.0.10, GNU/Linux 4.4.0-173, GNU/Linux 4.4.0-137, GNU/Linux 4.4.0-101, GNU/Linux 4.4.0-83, GNU/Linux 3.15.0, GNU/Linux 3.13.0-32, PrimeFaces/4.0.RC1, Apache-Coyote/1.1, ACC Library 3.1, Ubuntu 16.04.2, Ubuntu 14.04.2, Java/1.8.0_242, Java/1.8.0_181, Java/1.8.0_131, Java/1.7.0_79, MySQL 5.7.29, MySQL 5.7.18
Summary

Apros Evoluation / Furukawa / ConsciusMap is the Tecnored provisioning system for FTTH networks. Complete administration of your entire external FTTH network plant, including from the ONUs installed in each end customer, to the wiring and junction boxes. Unify all the management of your FTTH network on a single platform. Unify all your data, whether from customers, your network, or the external plant in one place. APROS FTTH allows you to manage your entire FTTH network in a simple and globalized way with just one click, without being a network expert. Includes services such as: bandwidth limitation, Turbo Internet for time plans, BURST Internet, QinQ for companies, and many more. General consumption graphics and per customer in real time. Captive Portal for cutting or suspension of the service.

Description

The FTTH provisioning solution suffers from an unauthenticated remote code execution vulnerability due to an unsafe deserialization of Java objects (ViewState) triggered via the 'javax.faces.ViewState' HTTP POST parameter. The deserialization can cause the vulnerable JSF web application to execute arbitrary Java functions, malicious Java bytecode, and system shell commands with root privileges.

Proof of Concept
furukawa.pyTXT
Disclosure Timeline
24.02.2020Vulnerability discovered.
25.02.2020Vendor contacted.
07.04.2020No response from the vendor.
08.04.2020Vendor contacted.
23.04.2020No response from the vendor.
24.04.2020Public security advisory released.
18.05.2020Vendor releases version 2.8.5.4 to address this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133
[2]https://nvd.nist.gov/vuln/detail/CVE-2020-12133
[3]https://www.exploit-db.com/exploits/48380
[4]https://packetstormsecurity.com/files/157383/Furukawa-Electric-ConsciusMAP-2.8.1-Java-Deserialization-Remote-Code-Execution.html
[5]https://cxsecurity.com/issue/WLB-2020040154
[6]https://exchange.xforce.ibmcloud.com/vulnerabilities/180746
[7]http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202004-2137
[8]https://helpcenter.furukawalatam.com/helpCenter/41/802/release-2.8.5.4?language=⟨=en
[9]https://jvndb.jvn.jp/ja/contents/2020/JVNDB-2020-005342.html
[10]https://www.tenable.com/cve/CVE-2020-12133
Changelog
24.04.2020Initial release
26.04.2020Added reference [5]
27.04.2020Added reference [6] and [7]
22.05.2020Added vendor status and reference [8]
14.08.2020Added reference [9] and [10]